1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24 package waffle.apache;
25
26 import java.io.IOException;
27 import java.security.Principal;
28 import java.util.Arrays;
29 import java.util.LinkedHashSet;
30 import java.util.Locale;
31 import java.util.Set;
32
33 import javax.servlet.ServletException;
34 import javax.servlet.http.HttpServletResponse;
35
36 import org.apache.catalina.LifecycleException;
37 import org.apache.catalina.authenticator.AuthenticatorBase;
38 import org.apache.catalina.connector.Request;
39 import org.apache.catalina.realm.GenericPrincipal;
40 import org.slf4j.Logger;
41
42 import waffle.windows.auth.IWindowsAuthProvider;
43 import waffle.windows.auth.IWindowsIdentity;
44 import waffle.windows.auth.PrincipalFormat;
45 import waffle.windows.auth.impl.WindowsAuthProviderImpl;
46
47
48
49
50 abstract class WaffleAuthenticatorBase extends AuthenticatorBase {
51
52
53 private static final Set<String> SUPPORTED_PROTOCOLS = new LinkedHashSet<>(Arrays.asList("Negotiate", "NTLM"));
54
55
56 protected String info;
57
58
59 protected Logger log;
60
61
62 protected PrincipalFormat principalFormat = PrincipalFormat.FQN;
63
64
65 protected PrincipalFormat roleFormat = PrincipalFormat.FQN;
66
67
68 protected boolean allowGuestLogin = true;
69
70
71 protected Set<String> protocols = WaffleAuthenticatorBase.SUPPORTED_PROTOCOLS;
72
73
74 protected int continueContextsTimeout = WindowsAuthProviderImpl.CONTINUE_CONTEXT_TIMEOUT;
75
76
77 protected IWindowsAuthProvider auth;
78
79
80
81
82
83
84 public int getContinueContextsTimeout() {
85 return this.continueContextsTimeout;
86 }
87
88
89
90
91
92
93
94 public void setContinueContextsTimeout(final int continueContextsTimeout) {
95 this.continueContextsTimeout = continueContextsTimeout;
96 }
97
98
99
100
101
102
103 public IWindowsAuthProvider getAuth() {
104 return this.auth;
105 }
106
107
108
109
110
111
112
113 public void setAuth(final IWindowsAuthProvider provider) {
114 this.auth = provider;
115 }
116
117
118
119
120
121
122 public String getInfo() {
123 return this.info;
124 }
125
126
127
128
129
130
131
132 public void setPrincipalFormat(final String format) {
133 this.principalFormat = PrincipalFormat.valueOf(format.toUpperCase(Locale.ENGLISH));
134 this.log.debug("principal format: {}", this.principalFormat);
135 }
136
137
138
139
140
141
142 public PrincipalFormat getPrincipalFormat() {
143 return this.principalFormat;
144 }
145
146
147
148
149
150
151
152 public void setRoleFormat(final String format) {
153 this.roleFormat = PrincipalFormat.valueOf(format.toUpperCase(Locale.ENGLISH));
154 this.log.debug("role format: {}", this.roleFormat);
155 }
156
157
158
159
160
161
162 public PrincipalFormat getRoleFormat() {
163 return this.roleFormat;
164 }
165
166
167
168
169
170
171 public boolean isAllowGuestLogin() {
172 return this.allowGuestLogin;
173 }
174
175
176
177
178
179
180
181
182 public void setAllowGuestLogin(final boolean value) {
183 this.allowGuestLogin = value;
184 }
185
186
187
188
189
190
191
192 public void setProtocols(final String value) {
193 this.protocols = new LinkedHashSet<>();
194 final String[] protocolNames = value.split(",", -1);
195 for (String protocolName : protocolNames) {
196 protocolName = protocolName.trim();
197 if (!protocolName.isEmpty()) {
198 this.log.debug("init protocol: {}", protocolName);
199 if (WaffleAuthenticatorBase.SUPPORTED_PROTOCOLS.contains(protocolName)) {
200 this.protocols.add(protocolName);
201 } else {
202 this.log.error("unsupported protocol: {}", protocolName);
203 throw new RuntimeException("Unsupported protocol: " + protocolName);
204 }
205 }
206 }
207 }
208
209
210
211
212
213
214
215 protected void sendUnauthorized(final HttpServletResponse response) {
216 try {
217 for (final String protocol : this.protocols) {
218 response.addHeader("WWW-Authenticate", protocol);
219 }
220 response.setHeader("Connection", "close");
221 response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
222 response.flushBuffer();
223 } catch (final IOException e) {
224 throw new RuntimeException(e);
225 }
226 }
227
228
229
230
231
232
233
234
235
236 protected void sendError(final HttpServletResponse response, final int code) {
237 try {
238 response.sendError(code);
239 } catch (final IOException e) {
240 throw new RuntimeException(e);
241 }
242 }
243
244 @Override
245 protected String getAuthMethod() {
246 return null;
247 }
248
249 @Override
250 protected Principal doLogin(final Request request, final String username, final String password)
251 throws ServletException {
252 this.log.debug("logging in: {}", username);
253 IWindowsIdentity windowsIdentity;
254 try {
255 windowsIdentity = this.auth.logonUser(username, password);
256 } catch (final Exception e) {
257 this.log.error(e.getMessage());
258 this.log.trace("", e);
259 return super.doLogin(request, username, password);
260 }
261
262 if (!this.allowGuestLogin && windowsIdentity.isGuest()) {
263 this.log.warn("guest login disabled: {}", windowsIdentity.getFqn());
264 return super.doLogin(request, username, password);
265 }
266 try {
267 this.log.debug("successfully logged in {} ({})", username, windowsIdentity.getSidString());
268 final GenericPrincipal genericPrincipal = this.createPrincipal(windowsIdentity);
269 if (this.log.isDebugEnabled()) {
270 this.log.debug("roles: {}", String.join(", ", genericPrincipal.getRoles()));
271 }
272 return genericPrincipal;
273 } finally {
274 windowsIdentity.dispose();
275 }
276 }
277
278
279
280
281
282
283
284
285
286
287 protected GenericPrincipal createPrincipal(final IWindowsIdentity windowsIdentity) {
288 return new GenericWindowsPrincipal(windowsIdentity, this.principalFormat, this.roleFormat);
289 }
290
291
292
293
294
295
296
297 @Override
298 public synchronized void startInternal() throws LifecycleException {
299 this.log.debug("Creating a windows authentication provider with continueContextsTimeout property set to: {}",
300 this.continueContextsTimeout);
301 this.auth = new WindowsAuthProviderImpl(this.continueContextsTimeout);
302 super.startInternal();
303 }
304
305 }